ATTRITION Advisory Archive

FTP PASV mode usage on the net

I just connected to microsoft's FTP server to get stats on the percentage of individuals using
the FTP passive mode, a copy of the session follows:

-------------------------------------------------------------
telnet FTP.MICROSOFT.COM 21
Trying 198.105.232.1...
Connected to ftp.microsoft.com.
Escape character is '^]'.
220 ftp Microsoft FTP Service (Version 3.0).
USER FTP
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS FTP
230-This is FTP.MICROSOFT.COM
230-Please see the dirmap.txt file for
230-more information.
230 Anonymous user logged in.
SITE STATS
200-ABOR : 302878
ACCT : 6
ALLO : 1
APPE : 12
CDUP : 180296
CWD : 2643776
DELE : 969
HELP : 2825
LIST : 1960318
MKD : 763
MODE : 315
NLST : 58931
NOOP : 539571
PASS : 1593667
PASV : 1428243
PORT : 2120405
PWD : 1080190
QUIT : 349168
REIN : 13
REST : 293760
RETR : 1495575
RMD : 240
RNFR : 158
RNTO : 16
SITE : 3933
STAT : 6098
STOR : 6566
STRU : 550
SYST : 381727
TYPE : 3183166
USER : 1610611
XCWD : 21
XMKD : 39
XPWD : 1866
XRMD : 23
200 End of stats.
QUIT
221 Thank you for using FTP.MICROSOFT.COM!

-------------------------------------------------------------
Here's the highlights:

PASV : 1428243
PORT : 2120405

PASV mode usage accounts for 40.25% of the users on microsoft's site while PORT mode usage
accounts for 59.75%.

That means that if an FTP pizza thief program is successful in beating out connections to the
data port 50% of the time, you'd be able to DoS 20% of the users and obtain 20% of the
information flowing through the site.

If you'd like to try getting the Microsoft site stats yourself it's quite simple. In Windows,
click on the START button, click on RUN, type in (without the quotes) "telnet ftp.microsoft.com
21" and click on OK. You will see "220 ftp Microsoft FTP Service (Version 3.0)" and at that point
you can type (but you won't see your typing) "USER FTP" followed by the enter key, then type
"PASS FTP" followed by the enter key. You will now see "230 Anonymous user logged in" if you
logged in OK. If not, you may want to see what you're typing.. click on Terminal, Preferences,
and check the box that says "local echo" and click on OK. Now dump the site statistics by typing
"SITE STATS" and then hit enter.

That's all there is to it. After doing "SITE STATS" if you feel like it type "PASV" and hit
enter. It will respond like this: "227 Entering Passive Mode (198,105,232,1,13,131)." The
198,105,232,1 is the internet address of the microsoft server. The 13,131 is the magic port
number that has been opened for you. now do another PASV command.. you'll see the port number
(last two numbers) change.

Watch this:
227 Entering Passive Mode (198,105,232,1,14,242).
pasv
227 Entering Passive Mode (198,105,232,1,14,252).

That was two PASV commands almost right after each other. The data port incremented by 10 (242 to
252). That means that ports 243,244,245,246,247,248,249,250,251 were allocated for other people
within that split second. If I have a program to try connecting to those ports and I actually
connect before the other people get to them, I get the data they should have gotten.. all this
because I can guess at what ports they're using by what ports I'm being given. I can also guess
that the next ports 253,254,255... will be allocated and because I'm trying to connect at the
same time as someone else is being told "here's a port for you to use", I get an even faster jump
on them.

Have fun and play around with it.. let me know what questions you have. Also let me know what
questions people have about the exploit.. after I have those, I'll write a more directed and
detailed synopsis.

-Jeff Gerber